1. 23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002

2. 23 October 2002Emmanuel Ormancey2 Topics  Statistics  Current Spam filtering at CERN  Products overview  Selected solution  How it works  Exchange 2000 integration

3. 23 October 2002Emmanuel Ormancey3 Some statistics…  At CERN:  Low level existing filters: 25% of mails detected as spam and rejected.  New filtering solution identifies 10% more.  Measurements in Europe for 2001 (NetValue users panel) :  Spam increased of 80% in 2001.  36.8% of received mails are Spam.  According to US AntiSpam company Brightmail:  Spam increased of 450% during last year  74% of received mails are Spam.

4. 23 October 2002Emmanuel Ormancey4 Current Spam Filtering  Basic checks:  Sendmail level tests.  Local lists of banned IP addresses, domains, subject keywords, emails.  Header “consistency” tests (i.e. message id format).  Mail rejected if identified as Spam.  Manual work:  Update local banned lists from abuse reports.  Remove entries when users report false positive rejections.

5. 23 October 2002Emmanuel Ormancey5 Commercial products  Commercial products too basic  Basic tests:  keywords in subject/body  IP address ban  Sender / recipient ban  Action:  Delete: helpdesk will receive user complaints if false positive.  Quarantine (i.e. Norton antivirus): require manual lookup to validate real spam and good mails.

6. 23 October 2002Emmanuel Ormancey6 SpamAssassin testing  How it works:  All in one: Different tests based on different techniques  Client / server version, with a ‘simple client’ allowing portability.  Good for spam detection.  Stability problem (on our Solaris).  Need to correct regular expressions bugs.  Not enough, need a mix of:  Mail content tests (SpamAssassin)  Low level “sendmail” tests (actual spam tests)  Need some custom rules and tests.  Need logs and statistics.

7. 23 October 2002Emmanuel Ormancey7 Solution  Start from SpamAssassin base  Add existing rules and custom tests  Easy to modify and to create add-ins.  Windows based: Future Exchange 2000 C#.NET SpamKiller  Easy to develop in any language.  Compiled regular expressions, compatible with unix.  After 3 months running and stress testing: no crash, no leak: seems stable.

8. 23 October 2002Emmanuel Ormancey8 Detecting spam - Tests  Different tests:  Text only (regular expressions):  Header  Body full text  Body raw for base64 encoded spam  “Smart tests” more complex than regular expressions.  Header consistency.  Open relays blacklist check on several servers.  Catalog check: compares mail with spam catalog (calculated signatures and subjects keywords).

9. 23 October 2002Emmanuel Ormancey9 Detecting spam – Scoring  Score calculation:  Each test returning true returns a score.  If sum of all scores is greater than ‘required hits’, mail is spam.  Lowest ‘required hits’ value is 5. Sample : Spam: True ; 5.559 / 5 Content analysis details: (5.559 hits, 5 required) 2 points: HTML-only mail, with no text version 0.21 points: 'Received:' has 'may be forged' warning 0.814 points: Subject has an exclamation mark 0.5 points: Spam phrases score is 00 to 01 (low) 2.035 points: 'remove' URL contains an email address

10. 23 October 2002Emmanuel Ormancey10 Detecting spam - Action  When spam is detected:  Do not delete mail, it may be an error or a commercial mailing list subscribed by user.  Do not reply to sender “we don’t accept spam” → it helps to improve spammer techniques.  Do not quarantine mail at server level: too much traffic and too much work.  A good mail service don’t loose mails. Solution: Let the user decide  Quarantine spam mail at the user level.  Allow user to check in quarantined mails for missing mails.  Allow user to choose a spam detection level (lowest level = 5)  Allow user to choose quarantine behavior.

11. 23 October 2002Emmanuel Ormancey11 User choice Configure Spam Level. Set expiration time. Cern Spam folder automatically created.

12. 23 October 2002Emmanuel Ormancey12 SpamKiller – Overview  Server:  Windows service.  Multithread "http like" server (clients on any platform can use it).  High exception catch to prevent server crash on error or bug.  Configuration:  Configuration in XML files (import from original SpamAssassin configuration possible).  Precompiled regular expressions to gain performance.  Statistics and logging:  Logs to perfmon (performance monitor) real-time statistics.  Logs statistics into XML files.

13. 23 October 2002Emmanuel Ormancey13 Exchange integration Exchange SMTP (1 to n servers) Incoming mail Spam Killer service (1 to n servers) SMTP Event sink Add header if score >= 5 Check mail Return score Internet Exchange store Asynchronous OnSave Event sink 1.Check user requested spam level. 2.Check header for score. 3.Move mail to CERN Spam if score > requested level.

14. 23 October 2002Emmanuel Ormancey14 Reporting Spam  Outlook XP: Com Add-in adds button to report spam (moves selected mails to specific public folder).  Others: Forward mail to abuse@cern.ch

15. 23 October 2002Emmanuel Ormancey15 Use of reported Spam  Spam reported with add-in button:  Mail in original format.  Create signatures.  Add signatures to catalog.  Can be automated.

16. 23 October 2002Emmanuel Ormancey16 Use of reported Spam  Spam forwarded to abuse@cern.ch abuse@cern.ch  Mail modified due to forward.  Extract header information.  Create catalog:  Subjects  IP  Senders

17. 23 October 2002Emmanuel Ormancey17 Statistics Online statistics available on SpamKiller website:

18. 23 October 2002Emmanuel Ormancey18 Conclusion  Now available to CERN Exchange users.  Up since July.  Low manual work: populate Spam catalog with tools, tune rules.  Problem with mailing lists filtering: add white list at user level in next release.  Clients can be created on any system. (possible reuse of SpamAssassin client).

19. 23 October 2002Emmanuel Ormancey19 Questions ? Contact: emmanuel.ormancey@cern.ch